dcrat | 7f1beb32d0565e8ebe9db45b1bc9a29b8fe6f2cfb7f17605bd2f6ec40f761b89

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Size

1.6MB
MD5

27b689b77f3516a11f09ecb8897ad4c2
SHA1

654cb72e6167f879a83930da230b28099359721f
SHA256

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772
SHA512

8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6000	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	4192	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4192	schtasks.exe	88

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3320-1-0x0000000000FC0000-0x0000000001162000-memory.dmp	dcrat
behavioral2/files/0x0007000000024296-26.dat	dcrat
behavioral2/files/0x00120000000240c9-94.dat	dcrat
behavioral2/files/0x000c000000024266-129.dat	dcrat
behavioral2/files/0x000c00000002429c-164.dat	dcrat
behavioral2/files/0x000b0000000242a7-187.dat	dcrat
behavioral2/files/0x00080000000242b4-210.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1620	powershell.exe
3144	powershell.exe
5976	powershell.exe
5672	powershell.exe
5632	powershell.exe
2292	powershell.exe
5872	powershell.exe
3080	powershell.exe
2760	powershell.exe
2256	powershell.exe
5748	powershell.exe
5796	powershell.exe
4304	powershell.exe
2036	powershell.exe
3740	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

pid	Process
3264	RuntimeBroker.exe
5612	RuntimeBroker.exe
4924	RuntimeBroker.exe
4736	RuntimeBroker.exe
3232	RuntimeBroker.exe
1932	RuntimeBroker.exe
440	RuntimeBroker.exe
3372	RuntimeBroker.exe
4940	RuntimeBroker.exe
368	RuntimeBroker.exe
5552	RuntimeBroker.exe
1732	RuntimeBroker.exe
5772	RuntimeBroker.exe
3388	RuntimeBroker.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4656_2018922557\System.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCX5FC9.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX6FA6.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\edge_BITS_4656_2018922557\System.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX5B80.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\edge_BITS_4656_2018922557\RCX5DC5.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX64DF.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\edge_BITS_4656_2018922557\27d1bcfc3c54e0	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\eddb19405b7ce1	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCX5FCA.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX624C.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Internet Explorer\upfc.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\9e8d7a4ca61bd9	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX62CA.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX64DE.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX7034.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX76E1.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\Internet Explorer\upfc.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6ccacd8608530f	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\Internet Explorer\ea1d8f6d871115	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\edge_BITS_4656_2018922557\RCX5DB4.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX76E0.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX5B81.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\Registry.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Windows\ja-JP\ee2ad38f3d4382	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\ja-JP\RCX7258.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\ja-JP\RCX7259.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Windows\ja-JP\Registry.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1348	schtasks.exe
4792	schtasks.exe
4844	schtasks.exe
4776	schtasks.exe
4156	schtasks.exe
4752	schtasks.exe
4984	schtasks.exe
4904	schtasks.exe
6140	schtasks.exe
5096	schtasks.exe
6000	schtasks.exe
4368	schtasks.exe
1232	schtasks.exe
4940	schtasks.exe
4852	schtasks.exe
5464	schtasks.exe
3564	schtasks.exe
4824	schtasks.exe
4996	schtasks.exe
3160	schtasks.exe
4928	schtasks.exe
396	schtasks.exe
2104	schtasks.exe
4284	schtasks.exe
4944	schtasks.exe
4860	schtasks.exe
3844	schtasks.exe
5344	schtasks.exe
4644	schtasks.exe
5040	schtasks.exe
4936	schtasks.exe
1140	schtasks.exe
2804	schtasks.exe
1124	schtasks.exe
2736	schtasks.exe
3244	schtasks.exe
4712	schtasks.exe
4736	schtasks.exe
5500	schtasks.exe
4700	schtasks.exe
2636	schtasks.exe
2244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3740	powershell.exe
3740	powershell.exe
5872	powershell.exe
5872	powershell.exe
5632	powershell.exe
5632	powershell.exe
3080	powershell.exe
3080	powershell.exe
5796	powershell.exe
5796	powershell.exe
2036	powershell.exe
2036	powershell.exe
4304	powershell.exe
4304	powershell.exe
2760	powershell.exe
2760	powershell.exe
2292	powershell.exe
2292	powershell.exe
5748	powershell.exe
5748	powershell.exe
1620	powershell.exe
1620	powershell.exe
2256	powershell.exe
2256	powershell.exe
5672	powershell.exe
5672	powershell.exe
5976	powershell.exe
5976	powershell.exe
3144	powershell.exe
3144	powershell.exe
5872	powershell.exe
2036	powershell.exe
5632	powershell.exe
5632	powershell.exe
3740	powershell.exe
3740	powershell.exe
1620	powershell.exe
2256	powershell.exe
5748	powershell.exe
3080	powershell.exe
3080	powershell.exe
5796	powershell.exe
2760	powershell.exe
5976	powershell.exe
4304	powershell.exe
4304	powershell.exe
2292	powershell.exe
3144	powershell.exe
5672	powershell.exe
3264	RuntimeBroker.exe
3264	RuntimeBroker.exe
5612	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	5872	powershell.exe
Token: SeDebugPrivilege	5632	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	5796	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	5748	powershell.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	3264	RuntimeBroker.exe
Token: SeDebugPrivilege	5612	RuntimeBroker.exe
Token: SeDebugPrivilege	4924	RuntimeBroker.exe
Token: SeDebugPrivilege	4736	RuntimeBroker.exe
Token: SeDebugPrivilege	3232	RuntimeBroker.exe
Token: SeDebugPrivilege	1932	RuntimeBroker.exe
Token: SeDebugPrivilege	440	RuntimeBroker.exe
Token: SeDebugPrivilege	3372	RuntimeBroker.exe
Token: SeDebugPrivilege	4940	RuntimeBroker.exe
Token: SeDebugPrivilege	368	RuntimeBroker.exe
Token: SeDebugPrivilege	5552	RuntimeBroker.exe
Token: SeDebugPrivilege	1732	RuntimeBroker.exe
Token: SeDebugPrivilege	5772	RuntimeBroker.exe
Token: SeDebugPrivilege	3388	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 5872	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	135
PID 3320 wrote to memory of 5872	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	135
PID 3320 wrote to memory of 5672	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	136
PID 3320 wrote to memory of 5672	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	136
PID 3320 wrote to memory of 2292	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	137
PID 3320 wrote to memory of 2292	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	137
PID 3320 wrote to memory of 5632	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	139
PID 3320 wrote to memory of 5632	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	139
PID 3320 wrote to memory of 5976	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	140
PID 3320 wrote to memory of 5976	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	140
PID 3320 wrote to memory of 3144	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	142
PID 3320 wrote to memory of 3144	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	142
PID 3320 wrote to memory of 2036	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	143
PID 3320 wrote to memory of 2036	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	143
PID 3320 wrote to memory of 5748	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	144
PID 3320 wrote to memory of 5748	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	144
PID 3320 wrote to memory of 2256	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	146
PID 3320 wrote to memory of 2256	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	146
PID 3320 wrote to memory of 4304	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	147
PID 3320 wrote to memory of 4304	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	147
PID 3320 wrote to memory of 2760	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	148
PID 3320 wrote to memory of 2760	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	148
PID 3320 wrote to memory of 1620	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	150
PID 3320 wrote to memory of 1620	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	150
PID 3320 wrote to memory of 5796	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	151
PID 3320 wrote to memory of 5796	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	151
PID 3320 wrote to memory of 3740	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	152
PID 3320 wrote to memory of 3740	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	152
PID 3320 wrote to memory of 3080	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	153
PID 3320 wrote to memory of 3080	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	153
PID 3320 wrote to memory of 3264	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	165
PID 3320 wrote to memory of 3264	3320	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	165
PID 3264 wrote to memory of 3108	3264	RuntimeBroker.exe	167
PID 3264 wrote to memory of 3108	3264	RuntimeBroker.exe	167
PID 3264 wrote to memory of 5128	3264	RuntimeBroker.exe	168
PID 3264 wrote to memory of 5128	3264	RuntimeBroker.exe	168
PID 3108 wrote to memory of 5612	3108	WScript.exe	170
PID 3108 wrote to memory of 5612	3108	WScript.exe	170
PID 5612 wrote to memory of 6100	5612	RuntimeBroker.exe	171
PID 5612 wrote to memory of 6100	5612	RuntimeBroker.exe	171
PID 5612 wrote to memory of 3816	5612	RuntimeBroker.exe	172
PID 5612 wrote to memory of 3816	5612	RuntimeBroker.exe	172
PID 6100 wrote to memory of 4924	6100	WScript.exe	177
PID 6100 wrote to memory of 4924	6100	WScript.exe	177
PID 4924 wrote to memory of 4812	4924	RuntimeBroker.exe	178
PID 4924 wrote to memory of 4812	4924	RuntimeBroker.exe	178
PID 4924 wrote to memory of 4600	4924	RuntimeBroker.exe	179
PID 4924 wrote to memory of 4600	4924	RuntimeBroker.exe	179
PID 4812 wrote to memory of 4736	4812	WScript.exe	181
PID 4812 wrote to memory of 4736	4812	WScript.exe	181
PID 4736 wrote to memory of 2872	4736	RuntimeBroker.exe	182
PID 4736 wrote to memory of 2872	4736	RuntimeBroker.exe	182
PID 4736 wrote to memory of 4740	4736	RuntimeBroker.exe	183
PID 4736 wrote to memory of 4740	4736	RuntimeBroker.exe	183
PID 2872 wrote to memory of 3232	2872	WScript.exe	184
PID 2872 wrote to memory of 3232	2872	WScript.exe	184
PID 3232 wrote to memory of 2292	3232	RuntimeBroker.exe	185
PID 3232 wrote to memory of 2292	3232	RuntimeBroker.exe	185
PID 3232 wrote to memory of 380	3232	RuntimeBroker.exe	186
PID 3232 wrote to memory of 380	3232	RuntimeBroker.exe	186
PID 2292 wrote to memory of 1932	2292	WScript.exe	190
PID 2292 wrote to memory of 1932	2292	WScript.exe	190
PID 1932 wrote to memory of 2608	1932	RuntimeBroker.exe	192
PID 1932 wrote to memory of 2608	1932	RuntimeBroker.exe	192

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
"C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4656_2018922557\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfdb492c-d589-4d82-9dca-262f133eff2f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
      "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7014ce71-6001-471b-898b-bccbca9f71ba.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6100
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79d8e65c-9776-4c8f-972a-91e98a783e63.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3264a1e9-2454-4e0d-9df2-fc24aa50fbaa.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aadfe202-dca3-4d08-ab5e-1e011386c5f0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14c5edb6-5791-4f96-ac0f-19c6a0b613b3.vbs"
        13⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c172969-8b32-4fbf-8f81-080e6bd7912a.vbs"
        15⤵
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67b38867-63c1-48d3-ae46-52c6a652e192.vbs"
        17⤵
        
        PID:4208
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7781522b-1cf9-49e5-83a9-25da971182dc.vbs"
        19⤵
        
        PID:5220
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1ecd37b-dce8-4671-ab74-dfaaf01e9b03.vbs"
        21⤵
        
        PID:2012
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\720c3aca-3c7e-42d6-8c15-9fd2ca8a7ba0.vbs"
        23⤵
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38797daf-7a2c-4467-ba67-09b55b291951.vbs"
        25⤵
        
        PID:3988
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\813c1530-0069-4ffb-b21f-b0f67098c930.vbs"
        27⤵
        
        PID:4248
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d27ed64e-eb48-45cf-848e-0e999b8bb92e.vbs"
        29⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff1d2136-7dfa-45cb-96fa-7387a6f5f818.vbs"
        29⤵
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13a48423-540f-4610-8775-96cbdc138665.vbs"
        27⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17c02c7f-1510-4bb9-9a72-db5b9b30c585.vbs"
        25⤵
        
        PID:5632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2c4e3ca-4ec3-44c9-99dd-67113e5cd218.vbs"
        23⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f3fabb4-c583-46d3-b5da-eba387d90318.vbs"
        21⤵
        
        PID:5860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a0ab4b9-e843-402e-baf4-4d069601f2ed.vbs"
        19⤵
        
        PID:5996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c1a719e-c32c-4d52-a002-27f67cd3bf87.vbs"
        17⤵
        
        PID:3404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28e8c266-d2ee-4984-a304-038455b832c8.vbs"
        15⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6395bab3-badd-495d-ac5c-9e2f377bb84a.vbs"
        13⤵
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a454a7af-ca5f-4ac1-867e-52e4865ddec6.vbs"
        11⤵
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4f59aa-9cca-4284-978e-bc5ec32f6154.vbs"
        9⤵
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d079d2-b7f3-41b2-ac97-9f22c117e608.vbs"
        7⤵
        
        PID:4600
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8430e496-e9a8-4a62-8dea-1433b4c991fb.vbs"
        5⤵
        
        PID:3816
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\169613cc-6942-4b5d-a347-e3d4b4c959a2.vbs"
    3⤵
    PID:5128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4656_2018922557\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4656_2018922557\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4656_2018922557\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\60739cf6f660743813\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\60739cf6f660743813\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\60739cf6f660743813\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\60739cf6f660743813\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\60739cf6f660743813\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\lsass.exe

Filesize
1.6MB

MD5
92ce8eb423f60aae79ff92857f09193a

SHA1
e9a540c3717283d4a8fad64ac8a742c296fb7116

SHA256
dcaa886fbdcd1e5d1f25bb4f40aa362397ade54537e39157362f9710a7da3794

SHA512
7a8e32b19dab1908ca532c9413d980fd1f895bdbdc0766cdc407d6be527c571fe3ed3400f3cb841c96d9b243542d400f890f7a74ff4e0b53e61048f4da38ffc5

Download Submit
C:\60739cf6f660743813\sysmon.exe

Filesize
1.6MB

MD5
b65499c4b2063d568e0633b06a0fb421

SHA1
aeab7430ae755963f0d071afa32d15e971f59f9a

SHA256
7f87aaed5e4e57e0946d8610d2bb0368c7cb658cf52306d49805dfa2043961a4

SHA512
08f9c0dd997a1ed4e3c97ef1be7f8b773650e3a6544f2b44bab73e9a7c915ff0ca26d6c898783142b5344c5c74e9d2bd51704ceafad889c934df21502375975f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Idle.exe

Filesize
1.6MB

MD5
6dbc03515319aaeeed833f2bd09b342b

SHA1
6555abe0a173d91ef47631b43cebd7f3be51c5bf

SHA256
84b757f73675861ae8af9249ed5b0c6d63597f705b055e7a46098da62ace7ef5

SHA512
ce3498b32e46bb5d3d95bbff8b122e0466e0aeda9f5eb482f1fac2e27b25b48b587222b0c0e03b431dc448f8c0c01603936863b9b066caa14fedddc473751452

Download Submit
C:\Program Files (x86)\Windows Portable Devices\upfc.exe

Filesize
1.6MB

MD5
218335cce40a840541b5f3e8d40f60db

SHA1
827be4cb8b2f11c0ee9c3b48d477e2f3ae43af62

SHA256
3366fc38547de12bb6f2f0f32e8bee708cab8bb8be6161d77584f62a898cfe52

SHA512
7cac66d8483478098156da23cf32cce0a62db677305bb3555f0be14e81949f3269f01fe3a1ec15436ac259e802b00e9f07846d37a6f0dd881c70c74f957041f8

Download Submit
C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe

Filesize
1.6MB

MD5
27b689b77f3516a11f09ecb8897ad4c2

SHA1
654cb72e6167f879a83930da230b28099359721f

SHA256
5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772

SHA512
8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.6MB

MD5
d67d6059521a894bd7ea125af255d89c

SHA1
e286eea8d1244850c2cb78bda0eb4339338697a6

SHA256
d941027e2ffda3540fb315f12e8a76b3bc9a72a40b7ba4268a40d645a4e5f986

SHA512
e66c3a24e090cadc67a24014dfab1c53f4132ad7aec9b3738a6e1c6bf1c6277aca83302306bbd687296014e70226d74a637d52030a9244327a1b6198ea63178a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cc8b834c4799e3b95faca6693c6a639

SHA1
88b9c440b4b7f1dccfc370bde005c2fb28dd62d6

SHA256
3b0a17c256ac582ba2e803de0351577fba286b4d4ba8a623294aea2eaffdc42d

SHA512
924d4278173583638091c16586f343423ccbb3e4af28e0b845b8d6ec0cd7455236a5068f043b2d6b324aad3adfe6a25df81079149eca4714e5cafe9530dd3417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
463e13fe1ee633f0f91c090ab3cada33

SHA1
862eb302c9d1b16246489ac4e4f3fb64825700b9

SHA256
88239e65345837ebd72638929db8c8ae9e26e9c02e700941377fa7e9bdcb1f34

SHA512
0f1efab970042a1224c4689c99bc573759a03c95e1938c76af4d08527e5a50617047cfa5506bb7d77ac584aae9654754d85e5b294191092c0eb40b4c02592418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10c3e0050438034093cb39edd298d892

SHA1
48178182507db8b236027badb50ac1cee5ed8b58

SHA256
611b6f4c2f6e5ebf5e3d39048f9e95ab8d715a757be80e07046fad51f3a822e2

SHA512
d3cab03fa5d5b939e6bd2d3448fdf820a0ab729fa549791b612c2beb7499b87d60cb4b5416f7bf4c85d82cb6a6344060e347eb42cf48aed21c80ca98d0f713de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
71695e91b3e79390e8bcad655833f0bd

SHA1
9dbd1099ac92c9317a458cfe12dd2a1fdfec4960

SHA256
5d60b921292222effd5f6a66a8e3274f9f1e78a94866cfea71e6828245a2cf79

SHA512
f230c2ddc110682ccf015d90ad1ae7fa3c67b28bfc413aad60c1e50e03d54c26276d0edcd7204587cc93115a0f9b3b279b0e0778a2dce70825f6776452682a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6496a2b71ec0dbce6fc60af57002b7fe

SHA1
9f1dd767ecaa449b66226992a54671921d308116

SHA256
64c96ff4896acac87f648f35b4dc13d893d6bd5d7309d35d94afa6d682039eff

SHA512
b8dd139672db1a565e724e969af0bacacccc70fc2a8097569494373a77fd8364b5ff612debee2a9ba30e77da70c4be0771e196c4ea28a5e3f389576fb8e6e845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ceb796de20c8360e1e53623d78696e8a

SHA1
52e20d1bb718b5e04290816c3c740d8f89265bcb

SHA256
cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321

SHA512
2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
091f20bbaff3637ace005fce1590be7b

SHA1
00d1ef232fc560231ff81adc227a8f2918235a29

SHA256
bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe

SHA512
ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890

Download Submit
C:\Users\Admin\AppData\Local\Temp\14c5edb6-5791-4f96-ac0f-19c6a0b613b3.vbs

Filesize
757B

MD5
2f632aff363d36bb26a30870fa4ce242

SHA1
105bfef9ecde27c09090a1e826ca53c8e9daef5a

SHA256
008e0ad7be025dbfe3d06b271e8be116987f35afa3896f26f80aa3c9c879da33

SHA512
73765b60546c913d6dc81bacdfb0a5f6289f69b53139c54a610f6921d0dd6e7ecf7f93bd0bc1a9373e3b3293082d91b99a4faba564adb78fd1729690ddecc2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\169613cc-6942-4b5d-a347-e3d4b4c959a2.vbs

Filesize
533B

MD5
126db5b4428e9007a506251e4d2ae84f

SHA1
00847cd44dfa002bb543e468d913fa8c3b015910

SHA256
aad655bf6b685a04b1f934d00000a1e98357ba7bd3e21a012e0a86c6a3a89611

SHA512
825232ecc7ed020c2b2e72d1be8daa82fab7dd602e2214f4ff8487ce3cca6bc5dd30bbaae46fe741e107064528674cc1e143ba5252f4e534dcf0b8bc16b5e85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3264a1e9-2454-4e0d-9df2-fc24aa50fbaa.vbs

Filesize
757B

MD5
9d21cea95eb654a4356c4dd7dae2b063

SHA1
4a49630f1562245f0ed489cee9bc87b7f95c25c7

SHA256
ec3669145326e3585837d3b03b2d0c79d017a8f2c1a3da6c3ce451800192c436

SHA512
594a80bcafa555a72a0dfbcc3b063ddcfa437641d461652a02b4ee7614d6dd5f9ca77420f07b26d85f81dcd29820c48bf7dd30aa4b95bbe61bbb7c41d3727ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\38797daf-7a2c-4467-ba67-09b55b291951.vbs

Filesize
757B

MD5
faf1dd0b8e276e33599135686d3fd661

SHA1
611c1dc193aee55f328b7bce46fdd92c37d8c259

SHA256
e477a453c7ea109a8ea539b093c0fb6e38a61443c316f0d11697a99d9f82bcd9

SHA512
20b20f275ec250977163f73739d0b49d96aa30672f85d6f8f58f07b793af9e6d04f91d411db9e2c38051bab0183e6f560ab89607aac1469652f02f106ecf125d

Download Submit
C:\Users\Admin\AppData\Local\Temp\67b38867-63c1-48d3-ae46-52c6a652e192.vbs

Filesize
757B

MD5
9352ee559dbe48064abd5f574164b98c

SHA1
b765821220aec6ddd3ea54402eafbff50832d381

SHA256
db34f6fb676aeb22ac24a390aec54e111643824f447b33dbda95559f2c36fd08

SHA512
6e9463310fa00c0c3e99217716d3d7a48a444e4b9c22386a841b34f22240be3fc87759ce3c14bd7dc09af6b0740d4b338f6368c6227a73a2381fd1c66f4dd8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7014ce71-6001-471b-898b-bccbca9f71ba.vbs

Filesize
757B

MD5
f6f475f1bf9608aab29aeaf530cd7a4f

SHA1
d57a99d3e266392210e910676b780c920be68f93

SHA256
3c102702ad306ac25bc5a8fe857f80eeec6f6a3b978eca0773006f149e63ad18

SHA512
8f65c904ba3a6fccb8e753430786460659bf1bc44e4b73bbbbc30f508b727ffcab95a64101e3eedaa49386a9313547afa58f495bb484cd7720c49d8d630c1ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\720c3aca-3c7e-42d6-8c15-9fd2ca8a7ba0.vbs

Filesize
757B

MD5
09dda2e79d9655a4dc5dd831bd6b9417

SHA1
a6aa20d0037bcccf74eb2117b8830b525a36f153

SHA256
8753f9c85918d832049bdbc257c16d522a9414b266492f653037fad0d2d1f73e

SHA512
be3e89c7dab6e3ebdc83f7714ce106e020b6c5b11ba2f61cf6f4b9bff0a9c546dfda5387f1ce8e1c71d734d189db1732872a08ff4bd38925bd4b8ba277e8f484

Download Submit
C:\Users\Admin\AppData\Local\Temp\7781522b-1cf9-49e5-83a9-25da971182dc.vbs

Filesize
757B

MD5
7a74d51f2f959da65f3c4388ee762cb1

SHA1
65a40ace9ad8bc4f5d17847e2adc5e1462c638ae

SHA256
8c351b3565b8dc92e3d6a229467514a56c11e46f42bc59aced8b76e6c0bb9b6d

SHA512
32e76426961f9153ca335825f30d4d3a06321ab431a496722bfa94f77f39c8e7eff3cf8a201619f7763499e9023e5de4dbb70015c1592feb12724ae36cffe6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\79d8e65c-9776-4c8f-972a-91e98a783e63.vbs

Filesize
757B

MD5
6e601e6be16c4d9084207c5e90acc7e6

SHA1
d0fa8beacb58bf134e7d20165ae8aa0819aa2166

SHA256
a95dbffa74913743841354297032a5d53764a6b8264792aa54a53ec3b273a136

SHA512
194a0aefb57f0026c1c2e8085d51916d9759fa2423c01a421811ec0ab03cc0d6f548b2c5bb6a6442ff1ccb80372b9957d96dc63129b7eb801d3ffeb2330c7aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c172969-8b32-4fbf-8f81-080e6bd7912a.vbs

Filesize
756B

MD5
556dbbe305cf7f77f5eca7b078e37959

SHA1
70b03eb60d4ff41c352898c52552e2b52b8d38c7

SHA256
a6e3d3d4292fb29b15c79eaceca34e477650559d2d9ff95503cfab825feedfa7

SHA512
7522a78e759f8e9b15111eac9bda09369232a1c11f768496aefdddaef825a64ccdf2945fe56b6693843d9521e233729c5e3b50def2e60755496c6fd1a395049e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lybonmyg.et3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aadfe202-dca3-4d08-ab5e-1e011386c5f0.vbs

Filesize
757B

MD5
1ebf62e42cbed97b2bfc2617beff9036

SHA1
f87d1908c1f68b577ec9b5ef7fbbdc17e44027bb

SHA256
1d29b93893a639cba60cc21de251d387b383685ffb683a728a8ea7b2325f1295

SHA512
92ac8dabe3bb40667b5ad048295295e5367b5e9b0b4ba27cd698b5f40f221eff5263841676c6ae0fdc72f5483720282d0b83d51191a120176a8ad6f0b917cde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ecd37b-dce8-4671-ab74-dfaaf01e9b03.vbs

Filesize
756B

MD5
a4e62537e28a28badbddb6bc28e03005

SHA1
a3ced6b6b713ebdbb4c9e7c14b2457feeda6b08f

SHA256
80f3367491b9f0b77217af38c7e3ec1be9c0c7e1966812a1195f16a1674f916d

SHA512
59495c5e27bb93580fb37c795dc76c679273d01583ab93ae577299ab9b5587226efb846d54f7dceb4ca9d58d384dbe91a3b772cd13a1f3f19debdbf6c0741f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfdb492c-d589-4d82-9dca-262f133eff2f.vbs

Filesize
757B

MD5
82e914379babc72be72da80a7c3d6fcf

SHA1
e649158a2c0072704e0d505530d03a460717fb03

SHA256
d0cc16ed63bec8fa821178041802c57fd264740c392e44c788c7a209f1cdd137

SHA512
4d53c984410a59f11a73588e68d53634020e811c81773cc33ec76e0411abace1aaf8a6bc2e2e3de3a780a4779f14977b67b3e756cddad76bacf7a0ef285e6491

Download Submit
memory/3320-13-0x000000001C630000-0x000000001C63E000-memory.dmp

Filesize
56KB

Download
memory/3320-11-0x000000001C410000-0x000000001C41C000-memory.dmp

Filesize
48KB

Download
memory/3320-1-0x0000000000FC0000-0x0000000001162000-memory.dmp

Filesize
1.6MB

Download
memory/3320-213-0x00007FF8D0360000-0x00007FF8D0E21000-memory.dmp

Filesize
10.8MB

Download
memory/3320-190-0x00007FF8D0363000-0x00007FF8D0365000-memory.dmp

Filesize
8KB

Download
memory/3320-17-0x000000001C660000-0x000000001C66C000-memory.dmp

Filesize
48KB

Download
memory/3320-16-0x000000001C760000-0x000000001C76A000-memory.dmp

Filesize
40KB

Download
memory/3320-15-0x000000001C650000-0x000000001C658000-memory.dmp

Filesize
32KB

Download
memory/3320-14-0x000000001C640000-0x000000001C648000-memory.dmp

Filesize
32KB

Download
memory/3320-0-0x00007FF8D0363000-0x00007FF8D0365000-memory.dmp

Filesize
8KB

Download
memory/3320-12-0x000000001C420000-0x000000001C42A000-memory.dmp

Filesize
40KB

Download
memory/3320-410-0x00007FF8D0360000-0x00007FF8D0E21000-memory.dmp

Filesize
10.8MB

Download
memory/3320-2-0x00007FF8D0360000-0x00007FF8D0E21000-memory.dmp

Filesize
10.8MB

Download
memory/3320-10-0x000000001C400000-0x000000001C40C000-memory.dmp

Filesize
48KB

Download
memory/3320-9-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/3320-6-0x000000001C3E0000-0x000000001C3F6000-memory.dmp

Filesize
88KB

Download
memory/3320-8-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/3320-7-0x0000000003310000-0x0000000003318000-memory.dmp

Filesize
32KB

Download
memory/3320-5-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/3320-4-0x000000001C430000-0x000000001C480000-memory.dmp

Filesize
320KB

Download
memory/3320-3-0x00000000032F0000-0x000000000330C000-memory.dmp

Filesize
112KB

Download
memory/3740-272-0x000001E62C160000-0x000001E62C182000-memory.dmp

Filesize
136KB

Download
memory/5612-464-0x000000001D150000-0x000000001D252000-memory.dmp

Filesize
1.0MB

Download